Telco hacked

Image from Unsplash

Most data breaches and hacks are the kind of inconveniences that happen to other people. This time, however, if you live in the Netherlands, there’s a good chance you’re staring rather glumly at an email from your telecom provider. After all, Odido controls roughly one third of the Dutch mobile market. On top of that, they provide fixed internet connections to a million households. And if you’re a Ben customer, you’re out of luck too.

The news is receiving wide coverage in the media. Understandable, given the scale: 6.2 million accounts were stolen from Odido’s customer contact system. Some of those accounts belonged to people who hadn’t been customers for years. Odido discovered this when these individuals responded, puzzled, to the notification email the company sent them. But the sheer size isn’t the only reason to be concerned. The kind of leaked information matters too. It wasn’t just the “usual” personal data such as name, address and email address. This hack also exposed phone numbers, bank account numbers, passport information, citizen service numbers, and even records of payment arrears.

Roughly two million records – containing nearly 700,000 unique email addresses – have already been published, because Odido didn’t comply with the demand from the criminals, who call themselves ShinyHunters, to pay “a low seven‑figure amount” (that’s at least one million euros). And they’re threatening to leak even more data. Plenty of reasons for millions of people to be worried.

Media coverage of the incident mostly focuses on sympathy for Odido and its customers. What you hear much less about is how this could have happened. I do understand that journalists focus on the victims. But still: how did this happen?

Phishing, ladies and gentlemen. In every presentation I emphasize again and again how important it is that everyone is resilient against this form of cybercrime. At Odido, that resilience failed this time. The phish reached customer service employees (possibly at a call centre abroad), who fell for it and handed over their passwords. Even two‑factor authentication (2FA) wasn’t an obstacle: the criminals called the employees, pretended to be colleagues from IT, and obtained the second factor as well. ShinyHunters executed an impressive piece of social engineering here: they didn’t hack the computer system – they hacked the computer users.

They then proceeded to download data. A lot of data. There should have been an automatic emergency brake for that. It should never be possible for a customer service account to download such vast quantities of information at once. It appears that there was no monitoring in place. If that’s true, it means not only the organisational measures (training) failed, but also the technical ones. You can hardly blame anyone for the failure of training; carefully crafted phishing emails are almost indistinguishable from the real thing. Oh, how I would love to see that phish. Employees handing over their 2FA, however, is something that deserves extra attention.

Odido itself is being notably tight‑lipped. I expected a statement on the homepage of their website, but only after some digging I found the “Information page Odido cyber incident”. First, there’s an extremely short official statement. Underneath, in giant letters, they advertise the free protection against phishing and other threats that they offer to their customers (one wonders if they use it themselves…?). Only then comes a detailed explanation of what happened, and some do’s and don’t’s. The bottom line: criminals with access to the leaked data can impersonate you and carry out all sorts of actions at your expense. So, in the coming period, keep a close eye on the invoices you receive and check your bank account for unfamiliar direct debits.

In the FAQ they raise the question of whether Odido’s security was adequate. But they don’t really answer it. Instead, we get the usual platitudes: safety is our top priority, we continuously work on improvements, but yes, criminals are very clever too.

Whether Odido was, after all, still clever in securing its assets – personnel included – will undoubtedly be investigated thoroughly. But whether we’ll ever get to hear the answer is another matter.

 

And in the big bad world…

…I was unfortunately too busy with other matters today to fill this section.